NIST Review Won't Disrupt Work with NSA

The National Institute of Standards and Technology continues to collaborate with the National Security Agency on its IT security guidance even as NIST investigates whether the spy agency meddled with one of its special publications.

"We're being a little more cautious, but we certainly have not stopped any of our engagements," he says in an interview with Information Security Media Group. "We certainly have not stopped asking them some of the hard questions that we looked at them to help us with, as well with everybody else. In the areas where we are working to produce standards guidelines, best practices, we're still collaborating."

Scholl, citing NIST Director Patrick Gallagher, says one reason NIST collaborates with the NSA on cryptography standards is that the NSA employs some of the smartest mathematicians in the world. "Collaborating and working with them in this space is both appropriate and beneficial to us," Scholl says.

Collaboration is Required

NIST, by law and policies, is required to collaborate with the NSA, other federal agencies, industry and academia in developing its array of IT security best practices.

In 2006, NIST issued Special Publication 800-90 (now SP 800-90A), Deterministic Random Bit Generators, guidance that specifies mechanisms for the generation of random bits using deterministic methods, an algorithm which, given a particular input, will always produce the same output.

A year later, cryptographer Bruce Schneier, writing in Wired, suggested the random-number standards might contain a backdoor to allow the NSA to spy on organizations employing the random bit generators.

Scholl says he believes NIST looked into Schneier's allegations at the time. "I'm not sure what the exact deliberations were, which is why I think a process review is important to assure that all these comments are considered and looked at," he says.

NIST decided to conduct the review after The New York Times and ProPublica published an article in September that reported the NSA had cracked or circumvented much of the encryption that shields global commerce and banking systems, trade secrets and medical records and Internet communications (see Report: NSA Circumvented Encryption).

Applying Lessons Learned

Though the review is focused on how NIST develops its cryptographic standards, the lessons learned from the examination could be applied to the way NIST develops other IT security standards, Scholl says. "The information that we gather definitely will be informative and impactful to the NIST 800 series [which addresses IT security and information risk management] and the cybersecurity standards that we produce in general," he says.

NIST doesn't have a timetable for when the review will be completed. Scholl says NIST is more concerned about achieving milestones than adhering to a schedule. The milestones include understanding goals and objectives, principles of operation, processes for identifying algorithms for standardizations and methods for reviewing and resolving public comment.

Meanwhile, the deadline for public comments on the reopened random bit generator guidance Nov. 6. Scholl wouldn't commit to a time when NIST would decide whether it would issue revised guidance on the random bit generator. "That will really be dependent on the comments that we receive and whether they're cogent and consistent," he says. "A lot of it is really going to be driven on the type of feedback we receive as far as what the turnaround time is going to be."

Assuring trust with the cryptographic community is a major reason behind NIST's review. NIST seeks to be transparent, "open for everyone to see," as Scholl puts it, on how the processes it employs to create guidance. "More than anything else, this is about ensuring the trust and confidence in people so that they use crypto," he says. "NIST's work in the end is NIST's work. We stand by and believe in the technical merits of what we put out."

About the Author

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.